AES keys should have the CKA_VALUE_LEN attribute to say how long they are, so
that PK11_GetKeyLength and PK11_GetKeyStrength work properly. I think this
should happen in pkcs11.c:validateSecretKey, where it happens for all the other
variable-length secret key types.
I should point out I'm using a token symmetric key. Looking into this a little
deeper, I see that pkcs11u.c:pk11_FindSecretKeyAttribute has no code to return
the CKA_VALUE_LEN field. So the problem may be there instead.
I'll add the code, though the NSS's use of CKA_VALUE_LEN appears to be a
non-standard use. Longer term this should be raised with the pkcs #11 working group.
Created attachment 104016 [details] [diff] [review]
Add CKA_VALUE_LEN to the attributes returned for token secret keys.
checked into tip.